Network coding is promising to maximize network throughput and improve the resilience to random network failures in various networking systems. In this paper, the problem of providing efficient confidentiality for practical network coding system against a global eavesdropper (with full eavesdropping capabilities to the network) is considered. By exploiting a novel combination between the construction technique of systematic Maximum Distance Separable (MDS) erasure coding and traditional cryptographic approach, two efficient schemes are proposed that can achieve the maximum possible rate and minimum encryption overhead respectively on top of any communication network or underlying linear network code. Every generation is first subjected to an encoding by a particular matrix generated by two (or three) Vandermonde matrices, and then parts of coded vectors (or secret symbols) are encrypted before transmitting. The proposed schemes are characterized by tunable and measurable degrees of security and also shown to be of low overhead in computation and bandwidth.
1. Introduction
N
etwork coding is an elegant and novel routing approach that generalizes traditional routing where each node simply stores and forwards the incoming packets
[1]
. It has been proved that network coding can potentially maximize network capacity, improve transmission efficiency, and increase network robustness
[2]
,
[3]
,
[4]
. Recently, network coding has received a large number of applications in wired and wireless networks
[5]
. Moreover, an often noted advantage of network coding over traditional packet forwarding protocols is the inherent protection that it provides against eavesdropping
[6]
. This inherent security is an important issue of general interest to the research community, and has been attracting much attention.
In
[7]
, Cai and Yeung first studied an information theoretic secure network code over a wiretap network for single source multicast, where a wiretapper can eavesdrop any one but not more than one set of channels, called a wiretap set, unknown by the transmitter and receivers, from a given collection of all possible wiretap sets of a fixed size r. For this special case, they also proved some tight fundamental performance bounds. Subsequently, Feldman et al.
[8]
pointed out a tradeoff between the size of the message set and the size of the transmission alphabet. The scheme, as well as the scheme in
[7]
, is essentially a coset coding scheme that uses the message to select a coset of a Maximum Distance Separable (MDS) code and transmits a random codeword within the coset. Both can be considered as a generalization of wiretap channel II
[9]
. A similar equivalent problem was covered in
[10]
. However, these security schemes with perfect security are only designed for some specific network codes, each also requires coding over a large field and thus shows inefficiency in applications. To address this issue, Silva and Kschischang
[11]
exploited a universal perfectly secure network coding scheme independent of any linear codes, but involves expensive arithmetic operations over a large extension field. More recently, Cheng et al.
[12]
extensively investigated the wiretap channel II
[9]
when the wiretap sets consists of arbitrary subsets of channels and obtained some more general performance bounds comparing to the existing schemes.
For practical consideration, Bhattad and Narayanan
[13]
proposed a relaxed model of security whose goal is also to get rid of the loss of information rate in the secure network coding and maximally secure against guessing. Herein, security is defined as wiretappers not being able to obtain any meaningful information of source messages without trading off the throughput. However, the scheme incurs complicated construction of an encoding matrix which also depends on the network topology and the specific network code. Thereafter, another weakly secure scheme was introduced by Silva et al.
[14]
based on rankmetric codes, it can be applied on top of any linear network code seamlessly. Unfortunately, they also showed the existence of universal weakly secure network code, but have not shown an explicit construction. Besides, their code construction involves expensive arithmetic operations over a large extension field at the source, while incurring the similar inefficiency as the scheme in
[13]
. Furthermore, this practical security was then explored for trusted storage based on a secret sharing technique
[15]
, where part of blocks are protected by the remaining parts, and vice versa. Interestingly, another parallel work with imperfect secrecy under a generalization of wiretap channel II
[9]
was presented in
[16]
where the wiretapper can obtain some partial information about the private message which is measured by the equivocation of the message given the symbols obtained by the wiretapper. They also proved a tight region of the achievable rate tuples.
The most attractive advantage of these information theoretic based secure schemes includes that no secret sharing is needed between the source and receivers. Moreover, these schemes also provide measurable or quantifiable privacypreserving viewing from the angle of information theory. However, the major disadvantage or impracticality of these schemes is that they must restrict the eavesdropping capacity, which is not the case in some realistic scenarios. Actually, as for wireless network, it is possible that a wiretapper can access global network linkages because of the broadcast nature of the wireless interface. To address this problem, securing network coding in conjunction with traditional cryptographic approaches emerges in general applications.
As we all know, traditional encryption has been broadly employing in military or commercial systems. It means that the wiretapper cannot obtain the protected information without the secret key. An intuitive approach based on traditional cryptography is to employ linktolink encryptions on coded packets. However, this method is not feasible as it will bring heavy computational overhead to each node, and result in significant performance degradation. Hence, it is indeed unwise to encrypt all confidential messages without regard to the intrinsic security properties of network coding in network coding settings.
The mixing feature of network coding can be used to ensure confidentiality more efficiently by protecting much shorter coding vector instead of the long message content. By viewing the network code as a cipher, it is possible to create a lightweight cryptographic scheme that reduces the overall computational complexity. As a practical example, Vilela et al.
[17]
proposed a computationally secure network coding scheme by means of hidding the precoding matrix. However, the scheme is actually insecure when some plaintext are disclosed unless onetimepad/precoding is adopted, which will incur heavy bandwidth overhead for transmitting precoding information. Another elegant solution is to protect the coding vectors using Homomorphic Encryption Functions
[18]
, but substantial homomorphic cryptographic operations greatly degrade the communication efficiency. As a variant and extension of the scheme in
[17]
, Lima et al.
[19]
designed a secure solution by additionally encrypting partial vector packets. However, the same bandwidth overhead occupied as that of global coding vector will be used to transmit the precoding vector. In addition, Zhang et al.
[20]
proposed a scheme called PCoding, which would be more inefficient than traditional full encryption since all the information symbols of each generation (even including the global coding vectors) have to be protected.
Mostly, the existing traditional cryptographic based schemes always realize the security by means of the encryption or protection to the global coding vectors. On one hand, the security of this kind cannot be proven to satisfy or guarantee the practical applications; On the other hand, these schemes show to be inefficient in either computation or bandwidth, as the security feature provided by random linear network coding (RLNC) is not fully exploited. More importantly, it is hard to evaluate the degree of security provided by these schemes. Therefore, how to provide efficient and exact security against wiretapping is still an open issue in practical applications for network coding, which becomes the main contribution of our work.
In sum, both kinds of solutions suffer from various drawbacks as mentioned above. In this paper, we further exploit the practically appealing security and propose two efficient weakly secure network coding schemes in terms of bandwidth overhead and security requirement. Both schemes are inspired by the idea of
[13]
, and rely on the novel combination of traditional cryptographic approach and the construction technique of systematic MDS erasure coding by the Vandermonde matrices as presented in
[22]
. The following are some features of our scheme:

1) It ensures practical security against global eavesdropper and can be applied on top of any network codes.

2) The implementation is computationally efficient and incurs low communication overhead.

3) It provides measurable and tunable confidential service without taking the network topology or specific network code into account, while the tradeoff is easily achieved between security complexity and communication overhead.
The remainder of this paper is organized as follows. Section 2 describes the system model and adversary model, as well as some preliminaries behind this paper. The proposed basic scheme and security analysis are then presented in Section 3 and 4. An alternative scheme with low encryption overhead is shown in Section 5. The performance evaluation of the proposals is exhibited in Section 6. Section 7 surveys some related work. Finally we conclude this paper in Section 8.
2. Models and Preliminaries
 2.1 Network Model
We adopt the general random linear network coding model introduced in
[4]
. A network can be represented as an acyclic directed graph, and each edge is assumed to transport a row vector defined in a finite field F
_{q}
in unit time. The transmitted message is firstly divided into a sequence of vector groups of the same size called generations (or sessions), each can be also represented as a matrix containing
m
(row) vectors
v_{i}
= (
v
_{i}
_{1}
,
v
_{i}
_{2}
,...,
v
_{in}
)∈
(
i
= 1,2,...,
m
) which span an
m
dimensional linear space
. Here consider a general multicast case in which one source needs to deliver a series of generations to a set of sinks.
Before sending, the source first creates
m
augmented vectors
∈
(
i
= 1,2,...,
m
) for each generation by prefixing
v_{i}
with the
i
^{th}
unit vector of dimension
m
, i.e,
For each intermediate node, it receives the vectors
from its
l
inputting links respectively, and forwards a linear combination formed by
into each outgoing link, where the coefficients
α
_{1}
,
α
_{2}
,...,
α_{l}
are selected in F
_{q}
for the outgoing link. Note that only vectors from the same generation are encoded. Obviously, the first
m
symbols of
are termed as global encoding coefficients.
Different methods for selecting the coefficients yield different types of network coding. When the {
α_{i}
} are deterministic for each intermediate node, the resulting code is referred as deterministic network coding. If the {
α_{i}
} are chosen randomly and independently by each intermediate node, the resulting code is termed as RLNC.
At the network terminals, every sink performs decoding operations to the received generations. As stated in
[4]
, one generation can be recovered with a high probability if a proper large coding field is utilized in multicast. For example, a sink has received
m
legitimate independent vectors
= (
e_{i}
;
c_{i}
)∈
(
i
= 1,2,...,
m
) belonging to the generation represented as a matrix
F
at the source, the sink can recover
F
using Gaussian Elimination as
where
and
.
 2.2 Adversary Model
In this paper, the adversary considered is an internal or external wiretapper with computation bounded power, aims at intercepting packets and decoding them to extract meaningful information. Moreover, the wiretapper has the capabilities to wiretapping all the network transmissions (excluding the secret keys) and possesses full knowledge of encoding and decoding schemes at each node. The eavesdropper with these characteristics is called as global wiretapper, which can be achieved in real practice. Without loss of generality, we assume the source and terminals are always trusted and can never be compromised by an adversary. The wiretapper can be always aware of the existence of the proposed schemes, even also the intermediate nodes can be monitored or compromised.
 2.3 Practical Security
Let us denote by
M
the multicast information, and
C
a set of ciphertext messages observed by a wiretapper.
We first recall the Shannon security, where the ciphertext
C
is considered to be secure against wiretapping with regard to
M
if the mutual information between
C
and
M
equals 0, i.e.,
I
(
C
;
M
)= 0. The security criterion considered by
[7]
,
[8]
,
[10]
,
[11]
fall in this category.
Compared to the Shannon security, the weakly secure network coding proposed by
[13]
is a different information theoretic security model with more practically appealing. We term this type of security in this paper as practical security.
Under practical secrecy criterion, the ciphertext
C
is considered to be secure with regard to
M
if
C
has no meaningful information with regard to
M
, that is,
I
(
x_{i}
;
M
)=0, ∀
x_{i}
∈
M
. For example, if a wiretapper can only observe the message of the form
c
= 4
x
+3
y
over F
_{q}
, a practical secure scheme guarantees that
I
(
x
;
c
) =
I
(
y
;
c
) = 0 , but
I
(
x
,
y
;
c
) ≠ 0. Naturally, the goal of an adversary is to recover as much meaningful information with regard to the plaintext data as possible.
Practical security is more suitable for energyconstrained networks where network coding applications may not have perfect secure requirements in practice. The most appealing advantage of the practical security is that it allows communication at maximum rate while ensuring that only meaningless information is leaked to the adversary.
 2.4 Matrices with No Singular Square Submatrices
In practical applications, the matrices over F
_{q}
with no singular square submatrices are used to build systematic MDS erasure codes. Over a given finite field, the matrices with this property can be constructed according to the following theorem.
Theorem 1
(
[21]
): Let us denote by
A
and
B
two
r
×
r
matrices of rank
r
over a given field such that any
r
×
r
submatrix of the
r
×2
r
matrix (
A

B
) has a rank
r
, the matrix
A
^{1}
·
B
is such that any of its square submatrices is nonsingular.
Among the matrices with this property, the class constructed by two Vandermonde matrices is an excellent candidate to build systematic MDS codes principally since matrixvector multiplications can be performed very efficiently, especially when fast Fourier transform (FFT) can be used
[23]
.
3. Proposed Secure Network Coding Scheme
In this section, we introduce the basic secure scheme for RLNC over wireless networks. The scheme can be naturally used for deterministic network coding over wired networks.
The plaintext of the generation is represented as an
m
×
n
matrix
, where
v_{i}
= (
v
_{i}
_{1}
,
v
_{i}
_{2}
,...,
v
_{in}
)∈
(
i
= 1,2,...,
m
) are termed as source vectors. Also, the Vandermonde matrix
is denote by
V
(
a
_{1}
,
a
_{2}
,...,
a_{m}
) in following text. To make concise presentation, a transmitting instance for only one generation is presented below.
 3.1 Secure Source Coding
Before source coding, the proposed scheme needs a onetime key predistribution to begin with, the relevant technique of key distribution is complemented later. To achieve security, the key idea is to encrypt the crucial information by which the plaintext can be easily recovered. Under this idea, the following operation steps need to be performed:
1) The source generates two public
m
×
m
Vandermonde matrices
V
_{1}
=
V
(
a
_{1}
,
a
_{2}
,...,
a_{m}
) and
V
_{2}
=
V
(
b
_{1}
,
b
_{2}
,...,
b_{m}
) over F
_{q}
, and computes
2) The vectors
are encrypted to be the vectors
z
_{1}
,
z
_{2}
,...,
z_{m}
using an encryption mechanism
E
(such as, AES in a stream cipher mode), where the integer set {
i
_{1}
,
i
_{2}
,...,
i_{r}
}⊂{1,2,...,
m
}is predetermined and
z_{ik}
=
E
(
w_{ik}
)(
k
=1,2,...,
r
).
3) The source constructs the packets
p_{i}
(
i
=1,2,...,
m
) which are composed by prefixing
z_{i}
with the
i
^{th}
unit vector of dimension
m
. The packets are then sent out to the network.
For simplicity, the case without loss of generality that the first
r
vectors, i.e.,
w
_{1}
,
w
_{2}
,...,
w_{r}
, are encrypted is considered herein. Let us consider a scenario such as the one when
m
= 3,
r
= 1 at the source coding depicted in
Fig. 1
.
Illustration of the operations at the source when m= 3, r = 1. The source vectors v_{1}, v_{2},..., v_{m} are encoded to be z_{1}, z_{2},..., z_{m} at the step 1 and 2. One row of identity matrix is generated for each coded source vector. Each packet is composed by a header which includes a row of identity matrix I_{3} . Then the packets are sent into the network using standard network coding protocol.
 3.2 Packets Relay
The network forwarder (or encoder) is an important component of the wireless relays of the network coded system. Every forwarder linearly combines the received packets according to the rules of standard RLNC protocol
[4]
.
 3.3 Decoding at Sinks
A sink (or recipient) first applies Gaussian elimination on the global encoding matrix to decode
z
_{1}
,
z
_{2}
,...,
z_{m}
and then decrypts
z
_{1}
,
z
_{2}
,...,
z_{r}
with the corresponding key as to recover the vectors
w
_{1}
,
w
_{2}
,...,
w_{r}
Using the publicly constructed matrix
A
, the sink obtains the plaintext vectors
v
_{1}
,
v
_{2}
,...,
v_{m}
by
M
=
A
^{1}
·
W
.
4. Security Analysis
In this section, the proposed scheme is shown to be secure against wiretapping attacks under the following feasible constraints. Each element of the original data, or plaintext, is uniformly distributed and mutually independent over F
_{q}
. Actually, it can always be satisfied by applying entropy coding on the source vectors. Besides, we assume that the used cipher
E
such that the output is independent of the plaintext and uniform distributed over F
_{q}
.
Theorem 2:
For a computational bounded adversary, the proposed scheme can achieve practical security to protect the plaintext
M
even if the entire ciphertext
Z
has been wiretapped.
Proof:
Consider that each plaintext symbol is mutually independent and uniformly distributed over F
_{q}
, we can easily conclude that the same statistical properties is satisfied among the columns of any one generation plaintext matrix
M
. Therefore, the security discussion to the first column of
M
(donoted as
s
= (
v
_{11}
,
v
_{21}
,...,
v
_{m}
_{1}
) ) is enough in the following.
Assume that a wiretapper has collected as many packets to recover all
z_{i}
(
i
= 1,2,...,
m
) , but he cannot obtain any meaningful information about
w
_{11}
,
w
_{21}
,...,
w
_{r1}
which are encrypted by a secure cipher
E
. Although
w
_{r+1,1}
,
w
_{r+2,1}
,...,
w
_{m}
_{1}
and
A
can be observed by the wiretapper, they do not help him to solve the plaintext vector
s
with
m
unknowns by
m

r
linear equations.
From the statement of Theorem 2 in
[13]
, if a secure scheme is considered to be weakly secure, it must resist a certain number of guesses, which is also a threshold against wiretapping. If more guesses beyond the threshold can be done by the wiretapper, he can also recover all plaintext vectors.
Next, we will show that our scheme can effectively resist
r
1 guesses with regard to
s
, i.e., the security threshold to recover
s
is
r
1.
There exists a wiretapper that has the ability to guess any subset of
r
1 elements of
s
. Without loss of generality, we assume that the guessed plaintext subset Փ consists of the first
r
1 elements of
s
. To recover the content of
s
, the wiretapper must construct and try to solve the following system of equations according to the known information, i.e.,
When the wiretapper sets
v
_{i}
_{1}
=
(
i
= 1,2,...,
r
1) after
r
1 guesses, we have that
where
.
It is easily to show that the system (2) always exists a free variable for each equation. Note that any square submatrices of
A
is nonsingular, the coefficient matrix (denoted by
A'
) of (2) should be full row rank according to Theorem 1. Therefore, when we put the coefficient matrix
A'
in the reduced row echelon form (
I
_{mr}
;
h^{T}
) , the last column
h^{T}
cannot include 0. Otherwise, we assume the first element is 0, the square matrix composed by all the columns of
A'
except the first one is an exact singular matrix, which is a contradiction.
From the informationtheoretical aspect, we have that the mutual information between the ciphertext and the guessed plaintext subset equals to 0, i.e.,
I
(
z
_{1}
,
z
_{2}
,...,
z_{m}
;
Փ
) = 0. The result always implies that
I
(
z
_{1}
,
z
_{2}
,...,
z_{m}
;
v
_{i}
_{1}
) = 0(
i
= 1,2,...,
m
) in conjunction with the above statements, which obviously meets the practical security criterion in this paper.
Generally, the security analysis to the case that Փ is any arbitrary
r
1 plaintext symbol guessed set is similar to the discussion above. Particularly, if the
r
1 guesses to the unknown symbols of the chosen subset Փ are exact what values of they are, then one more successful guess would result in full disclosure of the plaintext data. □
Theorem 2 shows that the algebraic property of
A
guarantees that the proposed scheme is always practical secure against any
r
1 successful guesses to the plaintext data. Although the wiretapper can observe the other
nr
packets that are not encrypted, he cannot recover any value(s) of the plaintext symbol(s) unless all encrypted packets have been revealed.
But have to say, the efficiency of the source coding is even more important than security in some scenarios such as realtime or resourceconstrained networks. We observe that the proposed scheme may consume much computation resource for encryption operation and the resulting coding complexity maybe still a burden for some resourceconstrained systems. To overcome this issue, an alternative smarter scheme is designed for more general circumstances, and particularly features lower encryption overhead for those special applications in the following section.
5. An Alternative Scheme With Low Encryption Overhead
Recall the proposed basic scheme just described can achieve the maximum possible rate for transmission. In reality, the tradeoff between security overhead and bandwidth usage is feasible to improve the system efficiency for practical requirement. It is possible that a little bandwidth sacrifice would be exchanged for greatly reduce the security overhead, under which a lightweight scheme is obtained with low encryption overhead based on the basic scheme.
 5.1 Construction
As the basic scheme, the key predistribution is first performed in advance. The details of this scheme performed at the source and sinks are described as follows:
 (1) Secure Source Coding
1) Generates two public
m
×
m
Vandermonde matrices
V
_{1}
=
V
(
a
_{1}
,
a
_{2}
,...,
a_{m}
),
V
_{2}
=
V
(
b
_{1}
,
b
_{2}
,...,
b_{m}
) over F
_{q}
, and
r
vectors Δ
_{i}
=
(
i
=1,2,...,
r
) , where
σ_{i}
are chosen uniformly at random from all nonzero elements of F
_{q}
.
2) Computes
.
3) Chooses a predetermined integer set {
i
_{1}
,
i
_{2}
,...,
i_{r}
}⊂{1,2,...,
m
} and constructs an encoding matrix
where ｜
A*
｜≠0 and
4) Computes
.
Obviously, the encoding matrix
A*
is generated by three Vandermonde matrices
V
_{1}
,
V
_{2}
and
.
5) Encrypts
σ_{k}
to be
β_{k}
=
E
(
σ_{k}
),
k
= 1,2,...,
r
. When
k
=
i
_{1}
,
i
_{2}
,...,
i_{r}
,
β_{k}
is attached to be the prefix of the vector
w_{k}
; Otherwise, an arbitrary element
β_{k}
over F
_{q}
is padded to be the prefix of
w_{k}
(
k
≠
i
_{1}
,
i
_{2}
,...,
i_{r}
) .
6) Generates the packet
p_{i}
(
i
=1,2,...,
m
) as the following form, which is composed by prefixing
z_{i}
=
w_{i}
with the
i
^{th}
unit vector of
m
dimension, i.e.,
The packets
p
_{1}
,
p
_{2}
,...,
p_{m}
are then sent into the network using standard RLNC protocol. Another operation instance when
m
= 3,
r
= 1 for secure source coding is illustrated in
Fig. 2
.
Illustration of the operations at the source when m= 3,r = 1 and i_{1} =1. Note that , z_{i}=w_{i} but β_{2}, β_{3} are padded by two arbitrary elements from F_{q} .
 (2) Decoding at Sinks
Every sink first decodes the packets
p
_{1}
,
p
_{2}
,...,
p_{m}
using Gaussian elimination, and then decrypts
β_{k}
(
k
=
i
_{1}
,
i
_{2}
,...,
i_{r}
) . Finally, the plaintext generation matrix
M
is recovered at the sink through the matrix
A^{*}
.
 5.2 Security Analysis
The alternative scheme is a variant and extension of the basic scheme, and characterized by a lightweight security with less encryption operations is performed. Under the same assumption, the security of the alternative scheme is discussed similarly as the basic scheme.
First, a lemma is first shown in the following.
Lemma 1:
Let the plaintext data be a vector
m
= (
m
_{1}
,
m
_{2}
,...,
m_{m}
) whose components
m_{i}
,
i
= 1,2,…,
m
, are random symbols independently and uniformly distributed over F
_{q}
,
β
is a random symbol chosen from F
_{q}
. If
η
= (
η
_{1}
,
η
_{2}
,...,
η_{m}
) = (
β
,
β
^{2}
,...,
β^{m}
) and
δ
=
μ
·
η
, the mutual information between
μ
and
δ
is zero.
Proof:
The lemma is easy to follow. Actually, we have that
According to the chain rule of entropy, we have
where
means a observation or realization of the random variable
μ_{i}
. In the following, we only analyze the case
. Note that
δ
=
μ·η
, so we have
where (5) and (6) follows from
and
η_{i}
=
β^{i}
. Eq. (7) is valid because
β
is independent from
μ_{m}
.
Furthermore, the random symbols
m_{i}
(
i
= 1,2,...,
m
) are independently and uniformly distributed over F
_{q}
, we have that
On the other hand, the mutual information
I
(
μ
;
δ
) is not always less than 0, then it follows that
I
(
μ
;
δ
) = 0 from Eq. (3) and Eq. (4).
Theorem 3:
For a computational bounded wiretapper, the alternative scheme satisfies the criterion of practical security.
Proof:
Without loss of generality, we set
r_{i}
=
i
(
i
=1, 2,...,
r
) and assume the wiretapper has the ability to guess at most
r
1 plaintext symbols. We only analyze two typical cases that are the most conducive to the wiretapper. As the same reason in Theorem 2, only the first column of the generation plaintext matrix
M
, i.e.,
s
= (
v
_{11}
,
v
_{21}
,...,
v
_{m}
_{1}
), is considered herein.
1) Case 1: If the wiretapper tries to reveal the secrets set
β
_{1}
,
β
_{2}
,...,
β_{r}
, he has the only way to guess any
r
1 secret symbols of the set (here for
β
_{1}
,
β
_{2}
,...,
β
_{r1}
as an example). However, there still exists a free unknown variable
β_{r}
, which means that the wiretapper cannot collect any meaningful information to construct
A
^{*}
.
2) Case 2: The wiretapper chooses to distill the plaintext information of the vector
s
. According to Lemma 1, he has no ability to get any meaningful information to
s
even if
z
_{1}
,
z
_{2}
,...,
z_{m}
are all known to the wiretapper. By the discussion in Theorem 2, we can conclude that the alternative scheme can resist any
r
1 guesses to any one plaintext vector.
Generally, we can similarly conclude that the wiretapper can also guess any
r
1 symbols out of
β
_{1}
,
β
_{2}
,...,
β_{r}
and
s
. In a nutshell, the alternative scheme satisfies the practical security criterion, and guaranteed practical security against wiretapping in the general scenarios.
6. Performance Analysis
In this section, we discuss the performance of the proposed schemes in term of computational complexity and communication overhead. Besides, the main security characteristics of both schemes are elaborated on as well.
 6.1 Computational Complexity
The analysis to the computation overhead of both schemes consists of three parts: (1) matrixvector multiplication; (2) encryption; (3) decoding at the sinks. As part of public transmitted message, the matrices
V
_{1}
and
V
_{2}
can be generated offline, so the computation cost to construct them can be neglected in the following discussion.
 (1) Matrixvector multiplication
 1) Analysis to the basic scheme
Compared to the standard rule of matrixvector multiplication, the Vandermonde or inverse of Vandermonde matrixvector multiplication can be more efficient. As pointed out in
[23]
, the computation complexity is at most
O
(
m
log
^{2}
m
) rather than
O
(
m
^{2}
) in generic ones. For reducing the computation overhead, the encoding to one generation plaintext matrix
M
by left multiplying
A
, i.e.,
A
·
M
, can be computed by multiplying
M
using two matrices, i.e.,
·(
V
_{2}
·
M
) . Since one generation plaintext data is composed by
n
column vectors, we can conclude that the computational complexity of this part in the basic scheme is
O
(
mn
log
^{2}
m
).
Also, the complexity of this part can be further improved considering the case when
m
is a divisor of
q
1 and the two Vandermonde matrices are generated by two elements of F
_{q}
of order
m
respectively
[23]
. Under this setting, the encoding operations in this phase can be performed at most
O
(
mn
log
m
) by using Fast Fourier Transform (FFT).
 2) Analysis to the alternative scheme
Different from the basic scheme, the source in the alternative scheme needs to perform standard matrixvector multiplication, so the computational complexity for matrixvector multiplication is
O
(
m
^{2}
n
) as well as
O
(
rm
) for generating the Vandermonde matrix
V
_{3}
. In network coded applications, the scheme does not increase the overall compution overhead, because Gaussian elimination is already required for the decoding of network coding, which always performs the same computational complexity, i.e.,
O
(
m
^{2}
n
) .
In sum, the proposed schemes present several advantages in source coding complexity. In
[13]
,
[14]
, it is not a easy task of finding a suitable source coding matrix over a large coding field that exactly satisfies the practical security, which greatly lowers the coding efficiency. More seriously, the issue with lack of scalability is primary reason is restraining the existing schemes of this kind applications. As stated in
[13]
, the choice of the source coding matrix is also dependent on the particular network topology and the underlying network code, which severely impacts on the applications of network coding. In contrast, the coding matrix at the source in this paper can be easy and efficient in construction. Due to no adaptation to encode the plaintext data using random matrix as used in
[17]
,
[18]
, the proposed schemes can be more efficiently to prevent the global wiretapping.
 (2) Encryption
The encryption to the secret symbols can be efficient implemented using symmetric cipher, such as a block cipher constructed in the counter (CTR) mode
[24]
. The parameters of the adopted cipher should be adjusted to approximate these criteria
[25]
.
Different from the schemes in
[17]
,
[18]
, the proposals do not additional hide the encoding matrix itself, thus greatly reduce the encryption overhead. In contrast, the encryption volume per generation of the proposals is minimized from
nr
in the basic scheme to
r
in the alternative scheme, while this volume in
[17]
,
[18]
is even up to
m
(
m
+
n
) . Obviously, both proposals are characteristic by manageable complexity and lightweight encryption overhead.
 (3) Decoding at the sinks
Based on the above discussion, a sink needs to take at most
O
(
mn
log
^{2}
m
) or
O
(
m
^{2}
n
) algebraic operations in both proposed schemes respectively after decoding using Gaussian Elimination and decryption.
 6.2 Communication Overhead
Since the encoding matrix
A
can be public, so the maximum rate can be achieved using the basic scheme without trading off the throughput. Unlike the schemes in
[13]
,
[14]
, the implementations of the proposed schemes do not require a large field or extension field for secure coding, which makes the computation and bandwidth resource can be further saved. Compared to the basic scheme, the alternative scheme also features lower security overhead, while the ability to reduce the encryption volume comes at the cost of little bandwidth penalty. Luckily, this communication overhead is still far less than that of the schemes in
[17]
,
[19]
, where the precoding matrix must be online exchanged securely therein between the source and sinks.
As stated in Section 3, it is necessary that the proposed schemes require shared secret keys between the source and several legitimate destinations. There has been considerable research that provides security solutions to the key predistribution mechanism in multicast. while the specifics of the key predistribution mechanism are not the central topic of this paper, but excellent solutions including offline key predistribution or broadcast encryption
[26]
can be commonly recommended in this paper. Before the proposals running, the secret key has been generated and shared among all authorized participates in advance, which would bring to some bandwidth overhead of which the amount is about
O
(log
_{2}
n
) during the startup time (
n
denotes the number of authorized participates in the network). Notice that the key distribution does not pertain to the main body of the proposed scheme itself, so it is easily seeing that the additional overhead brought by the key distribution actually does not affect the lightweight specificity of the proposed schemes in traffic. Thus, the overhead for secret key sharing is omitted in the following analysis.
Table 1
shows that the proposed schemes enjoys important advantages compared to the existing schemes.
Comparisons between the proposals and the existing typical schemes
Comparisons between the proposals and the existing typical schemes
 6.3 Measurable and Tunable Security
From the proofs of Theorem 2 and 3, both schemes can provide the security against global wiretapping with measurable degree which is evaluated by the metric“mutual information”
[27]
. Actually, both schemes can effectively resist up to
r
1 guesses to any column vector of any generation plaintext. Furthermore, the security degrees provided by the proposed schemes can be finely tuned since
r
is a tunable systematic parameter, which can characterize different security configurations. Therefore, the proposals can realize and offer a tunable and efficient security service without taking environment and/or application characteristics explicitly into account. Meanwhile, the optimal tradeoff between the security requirement and computational complexity can be achieved easily.
 6.4 An Implementation Example
To support our discussion, this section presents a practical implementation using AES. Herein, the source wants to transmit a file of 200 megabytes to the receivers. The file is encoded into 655.360 generations of 320 bytes. Every generation is represented as an 8×20 matrix
V
in
, i.e.,
m
= 8,
n
= 20 . For securing the communication, the source performs the proposed basic scheme for each generation in the same way.
According to the statements in Section 3 and 5, the example needs to encrypt 20 and 1 plaintext symbols per generation respectively when
r
= 1 in the basic and alternative schemes, the corresponding encryption ratios are
= 12.5% and
= 0.625%, thus the encryption volumes for the transmission of the file are 25 and 1.25 megabytes. In contrast, the amounts are high up to 80 megabytes and 49 megabytes in
[17]
and
[19]
respectively.
7. Discussion
In this paper, we mainly address the issue of designing practicaloriented security for network coded systems. Meanwhile, some other indispensable issues should be paid attention to in real applications.
The informationmixing nature of network coding also renders it highly susceptible to “pollution attacks” in which some faked packets are injected into network information flow. The polluted data packets will propagate quickly that even worse the receivers cannot decode any original plaintext data. As a necessary assistance of our scheme, the techniques in
[28]
,
[29]
can be used to effectively mitigate pollution attacks whereas at some cost of delay and overhead.
In order to achieve reliable communication over unstable or extreme networks, the alternative solutions, such as resilient network coding
[30]
or network errorcorrecting codes
[31]
, should be introduced to improve the robustness for network failure and packet losses/errors. Besides, all the forwarders (including the intermediate nodes and the receivers) should reserve a storing buffer for collecting or decoding the coded packets for network coding.
Which one of the proposals in this paper is selected for concrete applications needs a comprehensive consideration towards the tradeoff between the security complexity and communication overhead. From the above analysis, the basic scheme features low communication overhead, while the alternative scheme is characterized by lightweight security complexity. Although the first can achieve the maximum network throughput, the second one shows a more promising potential for applications due to its lower security penalty.
8. Conclusion
In this paper, we focus on how to achieve practically secure network coding against global wiretapping in an efficient way instead of encrypting all transmitted symbols. The basic idea is to exploit the algebraic structures of systematic MDS erasure codes and Vandermonde matrices by means of the traditional cryptographic technique. Under this idea, we propose two effective schemes with low complexity that can provide measurable and tunable security levels for different requirements. Under the assumption of zeroerror communication, the basic scheme is showed to achieve the maximum possible rate, while the alternative scheme is characterized by low encryption overhead. Both can be deployed on top of any communication network without requiring knowledge of the underlying network code.
Our work only focused on wiretapping attacks. We note that systematic MDS codes built from the matrices with no singular submatrices have been widely used in practical applications to cope with losses of data packets
[32]
. Intuitively, the proposed scheme has the promising potential to be an alternative solution to design secure errorcorrecting codes (such as the scheme in
[33]
) against global attackers, which becomes part of our future work.
BIO
Guangjun Liu received his M.S. degree in applied mathematics and Ph.D degree in cryptography from Xidian University, Xi’an, China, in 2009 and 2013, respectively. He is currently a lecturer at the school of mathematics and computer engineering in Xi’an University, Xi’an, China. His research interests include cryptography and information security, secure network coding and applications.
Ahlswede R.
,
Cai N.
,
Li S.Y. R.
,
Yeung R. W.
2000
“Network information flow”
IEEE Transactions on Information Theory
46
(4)
1204 
1216
DOI : 10.1109/18.850663
Koetter R.x
,
Medard M.
2003
“An algebraic approach to network coding”
IEEE/ACM Transactions on Networking
11
(5)
782 
795
DOI : 10.1109/TNET.2003.818197
Chen Y.
,
Feng G.
,
Zhou L.
“Using network coding to improve robustness and persistence for data transmission in sensor networks”
in Proc. of 6th International ICST Conference on Communications and Networking in China (CHINACOM)
2011
1170 
1175
Ho T.
,
Médard M.
,
Koetter R.
,
Karger D.
,
Effros M.
,
Shi J.
,
Leong B.
2006
“A random linear network coding approach to multicast”
IEEE Transactions on Information Theory
52
(10)
4413 
4430
DOI : 10.1109/TIT.2006.881746
Fragouli C.
,
Soljanin E.
2007
“Network Coding Applications”
Journal of Foundations and Trends in Networking
2
(2)
135 
269
DOI : 10.1561/1300000013
Du R.
,
Zhao C.
,
Zhao F.
,
Li S.
2013
Strategies of network coding against nodes conspiracy attack
Security and Communication Networks
Cai N.
,
Yeung R. W.
“Secure network coding”
in Proc. of International Symposium in Information Theory
2002
Feldman J.
,
Malkin T.
,
Stein C.
,
Servedio R. A.
“On the capacity of secure network coding”
in Proc. of 42nd Annual Allerton Conference on Communication, Control, and Computing
2004
http://people.csail.mit.edu/jonfeld/pubs/sflow_Allerton04_final.pdf
Rouayheb S. Y. E.
,
Soljanin E.
,
Sprintson A.
2012
“Secure network coding for wiretap networks of type II”
IEEE Transactions on Information Theory
58
(3)
1361 
1371
DOI : 10.1109/TIT.2011.2173631
Silva D.
,
Kschischang F.R.
2011
“Universal Secure Network Coding via RankMetric Codes”
IEEE Transactions on Information Theory
57
(2)
1124 
1135
DOI : 10.1109/TIT.2010.2090212
Cheng F.
,
Yeung R. W.
2014
“Performance Bounds on a Wiretap Network with Arbitrary Wiretap Sets”
IEEE Transactions on Information Theory
60
(6)
DOI : 10.1109/TIT.2014.2315821
Bhattad K.
,
Narayanan K. R.
“Weakly secure network coding”
in Proc. of 1st Workshop on Network Coding, Theory, and Applications (NetCod05)
2005
http://netcod.org/papers/06BhattadNfinal.pdf
Silva D.
,
Kschischang F. R.
“Universal weakly secure network coding”
in Proc. of IEEE Information Theory Workshop on Networking and Information Theory
2009
281 
285
Oliveira P. F.
,
Lima L.
,
Vinhoza T. T. V.
,
Médard M.
,
Barros J.
“Trusted Storage over Untrusted Networks”
in Proc. of IEEE Global Telecommunications Conference (GLOBECOM)
2010
1 
5
Cheng F.
,
Yeung R. W.
,
Shum K. W.
“Imperfect Secrecy in Wiretap Channel II”
in Proc. of IEEE International Information Theory (ISIT)
2012
Vilela J. P.
,
Lima L.
,
Barros J.
“Lightweight Security for Network Coding”
in Proc. of the IEEE International Conference on Communications (ICC)
2008
1750 
1754
Fan Y.
,
Jiang Y.
,
Zhu H.
,
Shen X.
“An efficient privacypreserving scheme against traffic analysis in network coding”
in Proc. of IEEE INFOCOM’09
2009
2213 
2221
Lima L.
,
Barros J.
,
Médard M.
,
Toledo A.
“Towards Secure Multiresolution Network Coding”
in Proc. of IEEE Information Theory Workshop on Networking and Information Theory (ITW)
Jun.1012, 2009
125 
129
Zhang P.
,
Jiang Y.
,
Lin C.
,
Fan Y
,
Shen X.
“PCoding: Secure Network Coding against Eavesdropping Attacks”
in Proc. of IEEE INFOCOM’10
2010
1 
9
Lacan J.
,
Fimes J.
“A construction of matrices with no singular square submatrices”
in Proc. of the 7th International Conference on Finite Fields and Applications, Lecture Notes in Computer Science
2003
vol.2948
145 
147
Lacan J.
,
Fimes J.
2004
“Systematic MDS erasure codes based on Vandermonde matrices”
IEEE Communications Letters
8
(9)
570 
572
DOI : 10.1109/LCOMM.2004.833807
Gohberg I.
,
Olshevsky V.
1994
“Fast algorithms with preprocessing for matrixvector multiplication problems”
Journal of Complexity
10
(4)
411 
427
DOI : 10.1006/jcom.1994.1021
Mollin R. A.
2006
“An Introduction to Cryptography”
CRC Press
Bellare M.
,
Desai A.
,
Jokipii E.
,
Rogaway P.
“A concrete security treatment of symmetric encryption”
in Proc. of the 38th Annual Symposium on Foundations of Computer Science
1997
394 
403
Moyer M. J.
,
Rao J. R.
,
Rohatgi P.
1999
“A survey of security issues in multicast communications”
IEEE Network
13
(6)
12 
23
DOI : 10.1109/65.806981
Cover T. M.
,
Thomas J. A.
2009
“Elements of Information Theory”
Cheng C.
,
Jiang T.
2013
“An efficient homomorphic MAC with small key size for authentication in network coding”
IEEE Transactions on Computers
2
(10)
2096 
2100
DOI : 10.1109/TC.2012.135
Zhang P.
,
Jiang Y.
,
Lin C.
,
Yao H.
,
Wasef A.
,
Shen X.
“Padding for orthogonality: Efficient subspace authentication for network coding”
in Proc. of IEEE INFOCOM
2011
1026 
1034
Jaggi S.
,
Langberg M.
,
Katti S.
,
Ho T.
,
Katabi D.
,
Médard M.
“Resilient Network Coding in the Presence of Byzantine Adversaries”
in Proc. of IEEE INFOCOM
2007
616 
624
Zhang Z.
2008
“Linear network error correction codes in packet networks”
IEEE Transactions on Information Theory
54
(1)
209 
218
DOI : 10.1109/TIT.2007.909139
MacWilliams F. J.
,
Sloane N. J. A.
1977
“The Theory of ErrorCorrecting Codes”
NorthHolland
New York
Ngai C. K.
,
Ph.D. Thesis
2008
“Network Coding for Security and Error Correction”
Ph.D. Thesis
http://iest2.ie.cuhk.edu.hk/~whyeung/post/thesis/Ngai.pdf